Introduction

Samba supports shares with POSIX access control lists (ACL). They enable you to manage permissions locally on the Samba host using UNIX utilities. If the file system of the share supports extended attributes, you can use extended POSIX ACLs to set multiple users and groups in ACLs - similar to Windows ACLs. For details, see Setting Extended ACLs. In case you require the fine-granular Windows ACLs, set up instead a share using Windows ACLs. For details, see Setting up a Share Using Windows ACLs.

Samba supports shares with POSIX ACLs on:

Domain members

NT4 PDC and BDCs

Standalone hosts

On a Samba Active Directory (AD) domain controller (DC), Windows ACL support is enabled globally, and therefore shares with POSIX ACLs are not supported.

Preparing the Host

Before you are able to create a share, set up Samba. For details, see:

Making Files Executable

Using the default setting, users are only able to execute files, such as *.exe and *.bat, on a Samba share if they have the POSIX x-bit set. For example, the following file is executable for the root user and members of the Domain Users group:

In some scenarios it is necessary to enable users to execute all files on a share, regardless if the x-bit is set. To enable, set in the [global] section of your smb.conf:

acl allow execute always = yes

Adding a Share

To share the /srv/samba/Demo/ directory using the Demo share name:

Create the directory:

# mkdir -p /srv/samba/Demo/

Add the [Demo] share definition to your smb.conf file:

[Demo]
path = /srv/samba/Demo/
read only = no

These are the minimum parameters required to set up a writeable share. Optionally, you can set share permissions. For details, see Setting Share Permissions.

Reload the Samba configuration:

# smbcontrol all reload-config

Setting ACLs

Setting Standard UNIX ACLs

The standard access control lists (ACL) on a UNIX operating system supports setting permissions for one owner, one group, and everyone else (other). If you need to set multiple ACLs on a directory, see Setting Extended ACLs.

For example, to set the owner of the /srv/samba/Demo/ directory to root, grant read and write permissions to the owner and the Domain Users group, and deny access to all other users, enter:

Setting the SGID bit (2770) automatically inherits the directory's group to all new files and directories created, instead setting it to the user's primary group.

For further details about the permissions, see the chmod(1) and chown(1) man page.

Setting Extended ACLs

If your file system supports extended access control lists (ACL), you can use extended POSIX ACLs. They enable you to set permissions for multiple users and groups on a file or directory - similar to Windows ACLs. However, POSIX ACLs are limited to the following general permissions modes:

None

Read

Write

Full control

For example, to set read, write, and execute permissions for the Domain Admins group, read and execute permissions for the Domain Users group, and deny access to everyone else on the /srv/samba/Demo/ directory:

Add the inherit acls = yes parameter to the share's configuration. For example:

[Demo]
path = /srv/samba/Demo/
read only = no
inherit acls = yes

The inherit acls = yes parameter enables ACL inheritance of extended ACLs. For further details, see the parameter description in the smb.conf man page.

Reload Samba:

# smbcontrol all reload-config

Verify that the directory is stored on a file system that supports extended ACLs. For details, see File System Support.

Disable auto-granting permissions for the primary group of user accounts:

The primary group of the directory is additionally mapped to the dynamical CREATOR GROUP principal. If you use extended POSIX ACLs on a Samba share, this principal is automatically added and you cannot remove it. For further details about the CREATOR GROUP principal, see Well-known security identifiers in Windows operating systems.

Configuring User and Group-based Share Access

Share-based access control enables you to grant or deny access to a share for certain users and groups. For example, to enable all members of the Domain Users group to access a share while access is denied for the example_user account, add the following parameters to the share's configuration:

The invalid users parameter has a higher priority than the valid users parameter. For example, if the example_user account is a member of the Domain Users group, access is denied for this account in the previous example.

For further details, see the parameter descriptions in the smb.conf(5) man page.

Configuring Host-based Share Access

Host-based access control enables you to grant or deny access to a share based on host names, IP addresses, or IP ranges. For example, to enable the 127.0.0.1 IP address, the 10.99.0.0/24 IP range, and the GoodHost host name to access a share, and additionally deny access for the BadHost host name, add the following parameters to the share's configuration:

hosts allow = 127.0.0.1 10.99.0.0/24 GoodHost
hosts deny = BadHost

The hosts deny parameter has a higher priority than the hosts allow parameter. For example, if BadHost resolves to an IP address that is listed in the hosts allow parameter, access to this host is denied.

For further details, see the parameter descriptions in the smb.conf(5) man page.